b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Affordable Care Act: Expanded Guidance\n                 Provided Assistance to the Exchanges, but\n                   Greater Assurance of the Protection of\n                     Federal Tax Information Is Needed\n\n\n\n                                     September 16, 2014\n\n                             Reference Number: 2014-23-070\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                 HIGHLIGHTS\n\n\nAFFORDABLE CARE ACT: EXPANDED                        WHAT TIGTA FOUND\nGUIDANCE PROVIDED ASSISTANCE TO                      The IRS provided staff dedicated to facilitating\nTHE EXCHANGES, BUT GREATER                           the readiness of ACA Exchanges to receive FTI\nASSURANCE OF THE PROTECTION OF                       and meet the October 1, 2013, deadline for\nFEDERAL TAX INFORMATION IS                           enrollment for health insurance to begin. Also,\nNEEDED                                               TIGTA observed the Office of Safeguards while\n                                                     it conducted on-site reviews of two Exchanges\n                                                     and found its on-site testing procedures to be\nHighlights                                           generally adequate.\n                                                     However, additional procedures are needed to\nFinal Report issued on                               provide greater assurance that FTI will be\nSeptember 16, 2014                                   protected prior to approving its release.\n                                                     Specifically, IRS procedures did not require the\nHighlights of Reference Number: 2014-23-070          Exchanges or other agencies to submit an initial\nto the Internal Revenue Service Director,            independent security assessment report that\nPrivacy, Governmental Liaison, and Disclosure.       could help to evaluate risk levels and the status\nIMPACT ON TAXPAYERS                                  of required security controls. The current\n                                                     documentation on which the Office of\nAffordable Care Act (ACA) legislation authorized     Safeguards bases its approval decision for\nStates to create marketplaces, called                release of FTI does not provide sufficient\n\xe2\x80\x9cExchanges,\xe2\x80\x9d to simplify the search for health       evidence that required controls have been\ncoverage by providing multiple options in one        implemented. TIGTA also found deficiencies in\nplace. Eligible taxpayers who purchase health        procedures related to obtaining signed system\ninsurance through an Exchange may qualify for        security authorizations and ensuring that on-site\nand request a refundable tax credit to assist with   reviews of agencies that have deployed new\npaying their health insurance premium. The           systems occur in a timely manner.\nACA authorized the IRS to disclose limited tax\nreturn information to the Exchanges when an          WHAT TIGTA RECOMMENDED\napplicant seeks financial assistance. To protect     TIGTA recommended that the Director, Privacy,\nthe confidentiality of the Federal Tax Information   Governmental Liaison, and Disclosure, ensure\n(FTI) disclosed to the Exchanges, the IRS has        that IRS Office of Safeguards\xe2\x80\x99 policy and\nestablished safeguards the Exchanges must            procedures are revised so that independent\nemploy. If required safeguards are not               assessments of security controls and signed\nestablished and maintained, FTI is at an             system security authorizations are received and\nincreased risk of unauthorized disclosure and        reviewed by the Office of Safeguards before\nuse.                                                 approving the release of FTI, and on-site\n                                                     reviews of agencies that have deployed new\nWHY TIGTA DID THE AUDIT\n                                                     systems should be prioritized according to risk\nThis audit was initiated to determine whether the    and scheduled in a timely manner.\nIRS Office of Safeguards has implemented\n                                                     IRS management agreed with our\nsufficient policies and procedures to ensure that\n                                                     recommendations. The IRS plans to require\nACA Exchanges are adequately protecting FTI\n                                                     agencies to submit an initial independent\nreceived from the IRS. The IRS is responsible\n                                                     security assessment and signed system security\nfor approving agencies to receive FTI and\n                                                     authorization. The IRS also plans to develop\nensuring that these agencies have controls in\n                                                     procedures to use the independent security\nplace to adequately protect the confidentiality of   assessment to validate that controls are\nFTI and prevent its unauthorized disclosure and      implemented as described by the agencies,\nuse.                                                 evaluate risk prior to releasing FTI, and prioritize\n                                                     on-site reviews.\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                              September 16, 2014\n\n\n MEMORANDUM FOR DIRECTOR, PRIVACY, GOVERNMENTAL LIAISON, AND\n                DISCLOSURE\n\n\n FROM:                        Michael E. McKenney\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Affordable Care Act: Expanded Guidance\n                              Provided Assistance to the Exchanges, but Greater Assurance of the\n                              Protection of Federal Tax Information Is Needed (Audit # 201420302)\n\n This report presents the results of our review of whether the Internal Revenue Service (IRS)\n Office of Safeguards has implemented sufficient policies and procedures to ensure that\n Affordable Care Act1 Exchanges are adequately protecting Federal Tax Information received\n from the IRS. This audit was initiated as part of the Treasury Inspector General for Tax\n Administration\xe2\x80\x99s Fiscal Year 2014 Annual Audit Plan and addresses the major management\n challenge of Implementing the Affordable Care Act and Other Tax Law Changes.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Kent Sagara, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\n\n\n\n 1\n  The Health Care and Education Reconciliation Act of 2010 and the Patient Protection and Affordable Care Act,\n Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as amended\n by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n\x0c                    Affordable Care Act: Expanded Guidance Provided Assistance to\n                       the Exchanges, but Greater Assurance of the Protection of\n                                   Federal Tax Information Is Needed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 5\n          Expanded Guidance Provided Assistance to the Exchanges ........................ Page 5\n          On-Site Testing Procedures Were Generally Adequate................................ Page 6\n          Independent Security Assessments and Authorizations\n          Were Not Reviewed Prior to Approving the Release of\n          Federal Tax Information ............................................................................... Page 7\n                    Recommendations 1 and 2: .............................................. Page 11\n\n          Agencies Deploying New Systems May Not Be Tested\n          for Up to Three Years, Possibly Allowing Security\n          Deficiencies to Persist ................................................................................... Page 11\n                    Recommendation 3:........................................................ Page 13\n\n          Procedures to Suspend Transmission of Federal Tax\n          Information Were Not Adequately Documented .......................................... Page 13\n                    Recommendation 4:........................................................ Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Description of Key Controls As They Apply\n          to Safeguarding Federal Tax Information ..................................................... Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 23\n\x0c        Affordable Care Act: Expanded Guidance Provided Assistance to\n           the Exchanges, but Greater Assurance of the Protection of\n                       Federal Tax Information Is Needed\n\n\n\n\n                        Abbreviations\n\nACA               Affordable Care Act\nCMS               Centers for Medicare and Medicaid Services\nFTI               Federal Tax Information\nHHS               Department of Health and Human Services\nIRM               Internal Revenue Manual\nIRS               Internal Revenue Service\nNIST              National Institute of Standards and Technology\nPOA&M             Plan of Action and Milestones\nSAR               Security Assessment Report\nSPR               Safeguards Procedure Report\nTIGTA             Treasury Inspector General for Tax Administration\n\x0c                  Affordable Care Act: Expanded Guidance Provided Assistance to\n                     the Exchanges, but Greater Assurance of the Protection of\n                                 Federal Tax Information Is Needed\n\n\n\n\n                                              Background\n\nIn March 2010, Congress passed two pieces of legislation that the President later signed into\nlaw\xe2\x80\x94the Health Care and Education Reconciliation Act of 2010 and the Patient Protection and\nAffordable Care Act (ACA).2 Collectively, these legislations are referred to as the ACA. ACA\nlegislation seeks to provide more Americans with access to affordable health care. The ACA\ncreated a new structured marketplace, commonly called \xe2\x80\x9cExchanges,\xe2\x80\x9d for the sale and purchase\nof health insurance. The Exchanges are intended to provide a place for Americans to shop for\nhealth insurance in a competitive environment. The Exchanges should simplify the search for\nhealth coverage by providing multiple options in one place and comparing plans based on price,\nbenefits, quality, and other important features that help consumers make a choice. The\nDepartment of Health and Human Services (HHS) and its Centers for Medicare and Medicaid\nServices (CMS) Division have primary responsibility for implementing the ACA, including\nmany elements related to the Exchanges.\nThe ACA authorized States to establish and operate an Exchange themselves (referred to as a\nState-based Exchange) or may cede this authority to the HHS/CMS that was tasked with the\ncreation of the Federal Exchange.3 Developing the Exchanges has been a complex undertaking,\ninvolving the coordinated actions of multiple Federal,4 State, and private stakeholders, and the\ncreation of an information system, known as the Hub, to support connectivity and near real-time\ndata sharing between multiple Federal and State agencies.\nThe ACA required that enrollment for health insurance at the Exchanges begin on\nOctober 1, 2013, for coverage that would be effective January 1, 2014. Eligible taxpayers who\npurchase health insurance through an Exchange may qualify for and request a refundable tax\ncredit5 to assist with paying their health insurance premium. This credit is called the Premium\nTax Credit and is claimed on the taxpayer\xe2\x80\x99s Federal tax return at the end of each coverage year.\nThis credit can also be paid in advance to a taxpayer\xe2\x80\x99s health insurance provider to help cover\nthe cost of premiums. These payments are referred to as the advance payments of the Premium\nTax Credit.\n\n\n2\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n3\n  The ACA requires States to establish Exchanges by January 1, 2014, Pub. L. No. 111-148, \xc2\xa7 1311(b),\n124 Stat. 173. The Secretary of the HHS must establish and operate an Exchange in States that do not elect to\noperate an Exchange or in States where the Secretary determines, by January 1, 2013, that a State has failed to take\nactions necessary to establish an exchange, Pub. L. No. 111-148, \xc2\xa7 1321(c), 124 Stat. 186.\n4\n  Federal agencies involved in ACA collaboration include, e.g., the HHS, the Social Security Administration, the\nDepartment of Homeland Security, and the Internal Revenue Service.\n5\n  Any tax credit that is refundable can be used to reduce a taxpayer\xe2\x80\x99s tax liability to zero. Any excess of the credit\nbeyond the tax liability can be refunded to the taxpayer.\n                                                                                                               Page 1\n\x0c                  Affordable Care Act: Expanded Guidance Provided Assistance to\n                     the Exchanges, but Greater Assurance of the Protection of\n                                 Federal Tax Information Is Needed\n\n\nThe Internal Revenue Service\xe2\x80\x99s (IRS) role with respect\nto the ACA is to implement and administer ACA                   The IRS\xe2\x80\x99s role with respect to\nprovisions that have an impact on tax administration.           the ACA is to implement and\nThe IRS\xe2\x80\x99s role includes providing information that will          administer ACA provisions\nsupport the HHS/CMS and the Exchanges in three main                 that have an impact on\nareas: 1) eligibility and enrollment, 2) calculating                  tax administration.\nmaximum Advance Premium Tax Credits, and\n3) reconciling advance payments of the Premium Tax Credit with reported taxable income.6 As\npart of the eligibility determination related to the Premium Tax Credit, the ACA authorized the\nIRS to disclose limited tax return information7 to the Exchanges when an applicant seeks\nfinancial assistance to obtain affordable coverage under ACA provisions. Because the tax credit\nmay be claimed in advance, the Exchange needs to determine an individual\xe2\x80\x99s eligibility for the\ntax credit at the time the individual applies for coverage through the Exchange.\nAs of October 1, 2013, the IRS had approved 16 Exchanges (14 State-based Exchanges, the\nDistrict of Columbia, and the Federal Exchange) to receive Federal Tax Information (FTI) for\nincome verification purposes related to eligibility and enrollment under provisions of the ACA.\nAfter the IRS approves an Exchange to receive FTI, the Exchange is required to validate\nincome-related information reported by consumers with select FTI to determine eligibility for the\ntax credit.\nThe Exchanges obtain FTI by initiating an electronic request to the IRS through the Hub. Also\nvia the Hub, the IRS returns the authorized items of tax return information with respect to each\nrelevant taxpayer or a response code indicating why no information is provided. The Hub is a\nrouting tool operated by the HHS to rapidly verify the information submitted by consumers\nseeking a determination of what coverage options and financial assistance are available to them.\nThe Hub does not retain FTI; it routes the information from Exchange requests and IRS\nresponses.\n\n\n\n\n6\n  The IRS has developed four system components to support the Exchange effort: the Coverage Data Repository,\nthe Income and Family Size Verification project, the Information Sharing and Reporting project, and the Premium\nTax Credit project. These components work together to store taxpayer data, provide responses to Exchange\nstakeholders, facilitate data exchange, and calculate amounts related to the Advance Premium Tax Credit,\nrespectively.\n7\n  The ACA specified information that the IRS may disclose which includes the following data elements from\nindividual tax returns for making eligibility determinations: household income, family size, filing status, adjusted\ngross income, and taxable Social Security benefits.\n                                                                                                              Page 2\n\x0c                 Affordable Care Act: Expanded Guidance Provided Assistance to\n                    the Exchanges, but Greater Assurance of the Protection of\n                                Federal Tax Information Is Needed\n\n\nPremium Tax Credits and cost-sharing subsidies were authorized by the ACA to help certain\nindividuals and families with incomes between 100 percent and 400 percent of the Federal\npoverty level pay for Exchange coverage. To qualify for these income-based financial subsidies,\n                                  individuals must also meet the criteria for eligibility for\n                                  enrollment and not be eligible for other health insurance\n    Without FTI data used to      coverage that meets certain standards. Without FTI data used\n  support applicant-provided      to support applicant-provided information about projected\n  information, tax credits and    household income, tax credits and subsidies could be\n       subsidies could be         incorrectly awarded. Paying back incorrect credits all at once\n      incorrectly awarded.\n                                  could be a burden on taxpayers and could lead to the need for\n                                  collection actions.\nIRS Safeguards Program\nThe IRS\xe2\x80\x99s Office of Safeguards within the Privacy, Governmental Liaison, and Disclosure\nDivision is responsible for managing and providing oversight to agencies that receive FTI and\nensuring that these agencies have controls in place to adequately protect the confidentiality of\nFTI and prevent unauthorized disclosure and use. The Office of Safeguards oversees FTI\nsharing with about 300 agencies.8 IRS Publication 1075, Tax Information Security Guidelines\nfor Federal, State and Local Agencies,9 provides guidance to ensure that the policies, practices,\ncontrols, and safeguards employed by Federal, State, and local recipient agencies, agents, or\ncontractors adequately protect the confidentiality of FTI.\nAs part of its oversight responsibilities, the Office of Safeguards conducts periodic reviews of\nagencies that receive FTI. These reviews entail both documentary reviews of required reports\nand on-site visits to validate that controls reported by agencies are in place. The on-site visits\ninclude reviews of employee awareness programs, proper disposal and secure storage of FTI, and\ncomputer security. The Office of Safeguards\xe2\x80\x99 approach to fulfilling its responsibilities is to\npromote a cooperative effort with the recipient agencies\nand their contractors to ensure the confidentiality of\n                                                                The IRS has been tasked with\nFTI. Outreach and communication are key elements in            both sharing FTI for authorized\nthis approach. The program must also maintain viable             program activities, such as\nenforcement standards and capabilities.                        those related to the Exchanges,\n                                                                      and with keeping FTI safe and\nThe IRS Safeguards program has been tasked with both                 confidential, even when the data\nsharing FTI for authorized program activities, such as                  are not in its direct control.\nthose related to the Exchanges, and with keeping FTI                   There is high inherent risk in\n                                                                               this situation.\nsafe and confidential, even when the data are not in its\ndirect control. The Treasury Inspector General for Tax\n\n8\n According to the IRS, there were 299 agencies subject to Office of Safeguards\xe2\x80\x99 oversight as of April 8, 2014.\n9\n The IRS updated Publication 1075 in January 2014 based on the National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and\nOrganizations.\n                                                                                                         Page 3\n\x0c                  Affordable Care Act: Expanded Guidance Provided Assistance to\n                     the Exchanges, but Greater Assurance of the Protection of\n                                 Federal Tax Information Is Needed\n\n\nAdministration (TIGTA) believes that sharing sensitive FTI data with agencies and their many\ndifferent environments related to management, information systems, and internal controls\npresents a difficult challenge and high inherent risk.10 The Safeguards program is designed to\nmanage and mitigate these risks.\nIRS efforts can at best provide reasonable, but not absolute, assurance that FTI is adequately\nsafeguarded. Authoritative Federal guidance states that security is never perfect when a system\nis implemented. In addition, the behavior of system users and operators may intentionally or\nunintentionally bypass or subvert security controls designed to protect systems and data.\nChanges in the system or the environment can create new vulnerabilities. Strict adherence to\nprocedures is rare over time, and procedures become outdated. Thus, Federal standards provide\nfor a process that monitors the effectiveness of key security controls over time and tracks efforts\nto address known vulnerabilities as they are identified. The IRS follows a similar methodology\nto help secure FTI at external agencies.\nThis review was performed with information obtained from the Office of Safeguards\nin Washington, D.C.; and at the California Health Benefit Exchange office in\nSacramento, California; and the Access Health CT office in Hartford, Connecticut, during\nthe period December 2013 through July 2014. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n10\n Inherent risk is the likelihood that a loss of confidentiality, integrity, or availability could occur that would\nmaterially/significantly affect the audit objectives, assuming that there are no related internal controls.\n                                                                                                                     Page 4\n\x0c               Affordable Care Act: Expanded Guidance Provided Assistance to\n                  the Exchanges, but Greater Assurance of the Protection of\n                              Federal Tax Information Is Needed\n\n\n\n\n                                 Results of Review\n\nExpanded Guidance Provided Assistance to the Exchanges\nThe IRS took several steps to facilitate the readiness of the Exchanges to receive FTI. Among\nthese steps were assigning staff dedicated to the ACA Exchanges, providing for an extensive\ndocumentation review process, making on-site visits to provide guidance on required document\npreparation, and coordinating with other stakeholder organizations. The IRS also was responsive\nto issues raised during this audit.\nThe IRS used the Safeguards Procedure Report (SPR) as the primary tool to assess the readiness\nof Exchange agencies to receive FTI. The information in the SPR describes what the agencies\nare doing or plan to do to address the required FTI safeguarding controls described in\nPublication 1075. The SPR describes how FTI will be received and processed by the agency,\nand how FTI will be protected from unauthorized disclosure. The IRS also used additional\nsecurity documents the Exchanges supplied to the HHS/CMS to supplement the information in\nthe SPR when assessing readiness to receive FTI. In January 2014, the SPR was replaced by the\nSafeguard Security Report, which, in addition to serving as an initial report to the IRS on agency\nsafeguarding procedures, is also used as an annual reporting vehicle.\nApproximately two years prior to the October 1, 2013, enrollment commencement, the IRS\nbegan its work with the HHS/CMS and the Exchanges to facilitate timely completion of the\nSPRs and to assist the Exchanges in understanding safeguarding controls. The IRS provided\nstaff to oversee Exchange SPR completions from September 2012 to March 2014. From\nDecember 2012 to September 2013, staffing ranged from eight to 14 individuals (employees and\ncontractors) to work with the Exchanges, and to review and approve the SPRs. The IRS\nprovided access to safeguarding requirements on its website and presented the requirements at a\nsystem-wide Exchange meeting in May 2012.\nThe IRS also collaborated with the HHS to ensure that Publication 1075 requirements were\nincorporated into HHS published guidance, security agreements with the Exchanges, and\nincident response plans. HHS guidance prohibits the display and disclosure of FTI during\napplication processing (either electronically or in notices), which significantly reduces the risk of\nexposure of FTI. The IRS participated in HHS reviews with the Exchanges to ensure that\nPublication 1075 requirements were fully understood and incorporated into the systems\xe2\x80\x99\nlifecycle development. The IRS also established standing biweekly office hours to answer\ntechnical questions posed by the Exchanges.\nAs a result of the early IRS efforts, the Exchanges submitted initial SPRs well before the\nOctober 1, 2013, enrollment commencement. The IRS subsequently worked through multiple\nSPR submissions with the Exchanges, providing iterative feedback, until IRS reviewers\n                                                                                              Page 5\n\x0c                  Affordable Care Act: Expanded Guidance Provided Assistance to\n                     the Exchanges, but Greater Assurance of the Protection of\n                                 Federal Tax Information Is Needed\n\n\nconcluded that all safeguard controls were adequately addressed in the SPRs. The IRS\nemphasized that some key controls should be fully implemented or have mitigating controls\nbefore agencies would be approved to receive FTI.\nIn addition to the document review, the IRS went beyond its standard procedures by visiting each\nof the Exchanges to review the SPRs and ensure that the Exchanges understood the importance\nof security controls prior to approving them to receive FTI. However, no testing of security\ncontrols occurred during these initial visits. Normally, the IRS would rely on document reviews\nwith supplemental telephone or correspondence contacts as needed. The IRS made the on-site\nvisits because the agencies were brand-new entities and not familiar with IRS procedures. IRS\nteams made an on-site visit to each Exchange in the July to August 2013 time frame to review\ndraft SPR submissions, discuss IRS requirements with Exchange personnel, and ensure that any\nremaining concerns were properly understood and addressed.\nThe IRS systems supporting data exchange among the Exchanges and Federal agencies to enroll\napplicants functioned largely as expected. Figure 1 shows the IRS-reported number of FTI\ndisclosures for ACA purposes (Income and Family Size Verification) since the Hub started\noperating on October 1, 2013. There is no direct correlation between these numbers and\nExchange enrollments reported by the HHS/CMS or any State.\n  Figure 1: Volume of FTI Disclosures for ACA Purposes to Exchange Agencies\n                  October     November December             January      February      March\xc2\xa0\n Exchange\xc2\xa0         2013\xc2\xa0        2013\xc2\xa0    2013\xc2\xa0               2014\xc2\xa0         2014\xc2\xa0       2014\xc2\xa0         Total\xc2\xa0\n15\xc2\xa0States\xc2\xa0With\xc2\xa0\n  Exchanges\xc2\xa0      628,614\xc2\xa0     \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0771,439\xc2\xa0    2,132,837\xc2\xa0   1,742,567\xc2\xa0   1,655,627\xc2\xa0   3,211,161\xc2\xa0   10,142,245\xc2\xa0\n\n   Federal\xc2\xa0\n                  910,545\xc2\xa0      1,180,460\xc2\xa0     3,278,422\xc2\xa0   1,989,276\xc2\xa0   1,682,052\xc2\xa0   3,530,360\xc2\xa0   12,571,115\xc2\xa0\n  Exchange\xc2\xa0\n\n   Total\xc2\xa0\n             1,539,159\xc2\xa0         1,951,899\xc2\xa0     5,411,259\xc2\xa0   3,731,843\xc2\xa0   3,337,679\xc2\xa0   6,741,521\xc2\xa0   22,713,360\xc2\xa0\nDisclosures\xc2\xa0\nSource: IRS Office of Safeguards\xe2\x80\x99 internal report.\n\nOn-Site Testing Procedures Were Generally Adequate\nA safeguard review is an on-site evaluation of the use of FTI and the measures employed by the\nreceiving agency to protect the information. The Office of Safeguards generally conducts on-site\nreviews once every three years. IRS policy states that agencies receiving FTI for the first time\nmay be reviewed within one year of initial receipt of FTI. Additionally, IRS guidance directs\nthat risk factors identified outside the reporting process should be taken into consideration in\ndetermining the timing of on-site reviews. Examples of such considerations include, but are not\n\n\n                                                                                                      Page 6\n\x0c               Affordable Care Act: Expanded Guidance Provided Assistance to\n                  the Exchanges, but Greater Assurance of the Protection of\n                              Federal Tax Information Is Needed\n\n\nlimited to, a history of problems, information reported by TIGTA, or news items affecting\nagencies and their contractors.\nWe observed the IRS conduct reviews of two State Exchanges. We found that the Office of\nSafeguards\xe2\x80\x99 testing procedures were generally adequate. The IRS conducted opening and\nclosing meetings to inform agency staff about the review process and results. The testers were\nthorough in administering the security testing steps and asked additional questions when needed.\nThe IRS provided the agencies with a Preliminary Findings Report at the end of the on-site visit\nthat listed high-level findings related to the testing.\nThe Office of Safeguards is in the process of procuring the Nessus vulnerability scanner to help\nautomate the test steps. We agree that automating test processes, where possible, will increase\nefficiencies in terms of time required for performing the tests and in regards to providing\naccurate and complete automated documentation of test results.\nTIGTA also discussed the benefits of revising test steps on operating systems to begin with\nqueries that determine what ports are open and what applications are running. These queries\ncould reduce some unnecessary tests, depending on the results. In addition, IRS management\nstated that they have made some changes in response to feedback from TIGTA during the audit.\n   \xef\x82\xb7   Both recommendations from TIGTA\xe2\x80\x99s first on-site review visit regarding penetration\n       testing and website analysis were added to the IRS\xe2\x80\x99s testing plan in response to TIGTA\xe2\x80\x99s\n       feedback on the templates.\n   \xef\x82\xb7   The Office of Safeguards will now request and review the agency\xe2\x80\x99s security testing\n       results, during its on-site reviews, and determine (through its own testing) whether the\n       agency is taking action on the deficiencies.\n   \xef\x82\xb7   The Office of Safeguards has added, or will add, test steps for 17 Publication 1075\n       controls that TIGTA identified were not tested during on-site reviews. Five of the\n       17 controls had been newly added to the revised Publication 1075 that the Office of\n       Safeguards issued in January 2014 based the National Institute of Standards and\n       Technology (NIST) Special Publication 800-53, Revision 4, Security and Privacy\n       Controls for Federal Information Systems and Organizations.\nIndependent Security Assessments and Authorizations Were Not\nReviewed Prior to Approving the Release of Federal Tax Information\nThe steps that the IRS took to provide assistance to the Exchanges were helpful; however,\nadditional procedures are needed to provide greater assurance that FTI is protected prior to its\nrelease. IRS procedures did not require the Exchanges or other agencies to submit an initial\nindependent Security Assessment Report (SAR) that could help evaluate risk levels at the\nindividual agencies and be used to prioritize on-site reviews. Moreover, although the IRS has a\nrequirement that agencies complete signed security authorizations prior to receiving FTI, the IRS\n\n                                                                                            Page 7\n\x0c                 Affordable Care Act: Expanded Guidance Provided Assistance to\n                    the Exchanges, but Greater Assurance of the Protection of\n                                Federal Tax Information Is Needed\n\n\ndoes not require these authorizations be submitted to the IRS prior to approval, and on-site\nreviews revealed that authorizations were not always satisfactorily completed.\n\nIndependent SARs were not reviewed prior to approving agencies to receive FTI\nA best practice as required for Federal agencies11 is that an assessment of security controls must\nbe conducted by an independent assessor prior to issuing the initial authority to operate for all\nnewly implemented systems. The results of the assessment are summarized in the SAR, which\nidentifies the security vulnerabilities that should be corrected or mitigated. The HHS/CMS\ninitially required the Exchanges to conduct an independent assessment of the security controls in\nthe newly implemented Exchange information systems prior to issuing the initial authority to\nconnect to the Hub. Subsequently, the HHS/CMS altered its guidance to allow the Exchanges to\ncomplete independent testing and plan to submit the SAR by March 31, 2014, or within six\nmonths of granting authority to connect to the Hub. However, Publication 1075 does not require\nsuch an initial assessment prior to approval, but does require agencies to assess the security\ncontrols in the information system and its environment at a minimum on an annual basis.\nThe Office of Safeguards\xe2\x80\x99 current security procedures do not require agencies to submit an\nIndependent SAR for the IRS\xe2\x80\x99s review prior to the release of FTI. To approve an agency as\nready to receive and properly safeguard FTI, the IRS initially relies on a description of the\ncontrols in the SPR. In conjunction with the documentary review, the IRS works with the\nagencies to ensure that the SPR descriptions are comprehensive, and in the case of the\nExchanges, also made visits to facilitate completing the SPR.\nTesting for the SARs was generally completed within two months prior to Exchange\nimplementation. Development of ACA systems continued to be ongoing during the time\nbetween testing and deployment. Consequently, the SARs would not necessarily have had\ncurrent information as of the October 1 start date because the Exchanges would be working on\ncorrecting weaknesses that had been identified. However, had the Office of Safeguards obtained\nand reviewed the Exchanges\xe2\x80\x99 SARs, it would have had better information regarding the status of\nPublication 1075 controls on which to base its approval decisions and to prioritize on-site\nreviews to those Exchanges deemed most vulnerable to security breaches.\nTIGTA reviewed the Exchange SARs and Plans of Action and Milestones (POA&M)12 which the\nHHS/CMS provided to us. Figure 2 shows that our review of the POA&Ms for 11 Exchanges\nindicated at least one or more open weaknesses existed in the 17 key security controls as of\nOctober 1, 2013.\n\n11\n   NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and\nOrganizations, Apr. 2013.\n12\n   The POA&M is used to track security control weaknesses identified by the agency during the internal inspections\nprocess and any other internal or external security assessment. The POA&M must include the corrective actions\nidentified during the internal inspections and will identify the actions the agency plans to take to resolve these\nweaknesses.\n                                                                                                          Page 8\n\x0c                 Affordable Care Act: Expanded Guidance Provided Assistance to\n                    the Exchanges, but Greater Assurance of the Protection of\n                                Federal Tax Information Is Needed\n\n\n             Figure 2: The Exchanges With Open Weaknesses in Key Controls\n                                 As of October 1, 2013\n                     (out of 11 Exchanges with POA&Ms suitable for evaluation)13\n\n         \xc2\xa0      Key\xc2\xa0Control\xc2\xa0                                                  The\xc2\xa0Exchanges\xc2\xa0With\xc2\xa0\n                     NIST\xc2\xa0                   Control\xc2\xa0Name\xc2\xa0                   Open\xc2\xa0Weaknesses\xc2\xa0As\xc2\xa0of\xc2\xa0\n                Designation\xc2\xa0                                                    October\xc2\xa01,\xc2\xa02013\xc2\xa0\n       1\xc2\xa0      AC\xe2\x80\x903\xc2\xa0           Labeling\xc2\xa0                                               3\xc2\xa0\n       2\xc2\xa0      AC\xe2\x80\x906\xc2\xa0\xc2\xa0          Least\xc2\xa0Privilege\xc2\xa0                                        5\xc2\xa0\n       3\xc2\xa0      AC\xe2\x80\x9020\xc2\xa0          Use\xc2\xa0of\xc2\xa0External\xc2\xa0Information\xc2\xa0System\xc2\xa0                     4\xc2\xa0\n        4\xc2\xa0     AU\xe2\x80\x902\xc2\xa0           Auditable\xc2\xa0Events\xc2\xa0                                       6\xc2\xa0\n        5\xc2\xa0     IA\xe2\x80\x902\xc2\xa0           Identification\xc2\xa0and\xc2\xa0Authentication\xc2\xa0                      8\xc2\xa0\n        6\xc2\xa0     IA\xe2\x80\x905\xc2\xa0           Identifier\xc2\xa0Management\xc2\xa0                                  7\xc2\xa0\n        7\xc2\xa0     IR\xe2\x80\x906\xc2\xa0           Incident\xc2\xa0Reporting\xc2\xa0                                     4\xc2\xa0\n        8\xc2\xa0     MP\xe2\x80\x903\xc2\xa0           Media\xc2\xa0Marking\xc2\xa0                                          5\xc2\xa0\n        9\xc2\xa0     MP\xe2\x80\x906\xc2\xa0           Media\xc2\xa0Sanitization\xc2\xa0                                     4\xc2\xa0\n       10\xc2\xa0     PE\xe2\x80\x903\xc2\xa0           Physical\xc2\xa0Access\xc2\xa0Control\xc2\xa0                                3\xc2\xa0\n       11\xc2\xa0     SA\xe2\x80\x909\xc2\xa0           External\xc2\xa0Information\xc2\xa0System\xc2\xa0Services\xc2\xa0                   3\xc2\xa0\n       12\xc2\xa0     SC\xe2\x80\x904\xc2\xa0           Information\xc2\xa0in\xc2\xa0Shared\xc2\xa0Resources\xc2\xa0                        3\xc2\xa0\n       13\xc2\xa0     SC\xe2\x80\x907\xc2\xa0           Boundary\xc2\xa0Protection\xc2\xa0                                    5\xc2\xa0\n       14\xc2\xa0     SC\xe2\x80\x908\xc2\xa0           Transmission\xc2\xa0Integrity\xc2\xa0                                 3\xc2\xa0\n       15\xc2\xa0     SC\xe2\x80\x909\xc2\xa0           Transmission\xc2\xa0Confidentiality\xc2\xa0                           5\xc2\xa0\n       16\xc2\xa0     SI\xe2\x80\x902\xc2\xa0           Flaw\xc2\xa0Remediation\xc2\xa0                                       6\xc2\xa0\n       17\xc2\xa0     SI\xe2\x80\x903\xc2\xa0           Malicious\xc2\xa0Code\xc2\xa0Protection\xc2\xa0                              3\xc2\xa0\n     Source: TIGTA analysis of Exchange POA&Ms.\n\nAs shown in Figure 2, results of our review of the 11 Exchanges showed that as of\nOctober 1, 2013, multiple Exchanges had open weaknesses related to each of the 17 controls.\nThese weaknesses were present even though the Office of Safeguards had reviewed the SPRs\nand related documents, and worked with the Exchanges to ensure that these particular controls\nwere in place prior to October 1. IRS reviewers had based their approval decisions on the\ndescriptions of the controls in the SPR, whether implemented or planned, rather than on the\nactual status of these controls, because they had neither the SARs nor IRS test results.\nIn addition, although not an IRS requirement, three Exchanges did not provide the SARs to the\nHHS/CMS prior to October 1, 2013, in accordance with the initial HHS/CMS requirement.\nConsequently, this HHS/CMS control was not fully in place for all of the Exchanges at the time\nthe Office of Safeguards approved them to receive FTI. While the IRS was not responsible for\n\n13\n  We did not include five Exchanges in this analysis because two had no SARs, two had POA&Ms with incomplete\ndata, and one had a draft POA&M. See Appendix IV for a more complete description of the controls as they apply\nto safeguarding FTI.\n                                                                                                      Page 9\n\x0c               Affordable Care Act: Expanded Guidance Provided Assistance to\n                  the Exchanges, but Greater Assurance of the Protection of\n                              Federal Tax Information Is Needed\n\n\nreviewing agency compliance with this requirement imposed by the HHS/CMS, it was not\nalways evident in the SPRs whether or not the SARs were completed.\nAccording to the Office of Safeguards, the SPR provided sufficient information to evaluate an\nagency\xe2\x80\x99s ability to protect FTI and for basing its approval decision to release FTI. The Office of\nSafeguards stated that it relies on agencies, as trusted governmental data exchange partners, to\nimplement the security controls as described in the SPR prior to receipt of FTI. Agencies are\nexpected to follow sound information security business practices, including testing as part of\nsystem development procedures, but are not required to provide evidence of compliance prior to\nSPR approval. The Office of Safeguards stated that the recipient agency assumes all\nresponsibility for operation and maintenance of information systems, as well as legal liability for\nFTI received under Internal Revenue Code Section 6103. The IRS stated that agencies may\nestablish additional processes to enhance data protection subsequent to receiving FTI.\nWithout sufficient and complete information regarding the status of required security controls,\nthe IRS might approve the release of FTI to an environment that puts FTI at risk of unauthorized\ndisclosure or misuse.\n\nSigned security authorizations were not obtained prior to approving agencies to\nreceive FTI\nPublication 1075 requires that an authorizing official authorizes (through signature approval) the\ninformation system for processing before commencing operations. The purpose of the\nauthorization is to ensure that management has reviewed the risks associated with operating the\nsystem and has accepted the risk based on the implementation of the security controls.\nAlthough the IRS had communicated to the Exchanges that systems must be authorized, neither\nof the two Exchanges TIGTA visited during the audit had signed security authorizations in place.\nWhile Publication 1075 requires agencies to ensure that the authorizing official authorizes the\ninformation system before commencing operations, it does not require agencies to submit the\nsigned security authorization to the Office of Safeguards prior to release of FTI.\nBecause the Office of Safeguards relied on agencies as trusted governmental data exchange\npartners to implement the security controls as described in the SPR prior to receipt of FTI, it did\nnot consider it necessary to obtain signed authorization documents from the recipient agencies\nprior to conducting an on-site review. During on-site reviews, the authorization documents were\nchecked. However, without obtaining security authorizations prior to the release of FTI, the IRS\nhas insufficient assurance that a responsible agency official has assessed and accepted the risks\nof any controls not yet in place prior to making the system operational.\n\n\n\n\n                                                                                           Page 10\n\x0c               Affordable Care Act: Expanded Guidance Provided Assistance to\n                  the Exchanges, but Greater Assurance of the Protection of\n                              Federal Tax Information Is Needed\n\n\nRecommendations\nThe Director, Privacy, Governmental Liaison, and Disclosure, should:\nRecommendation 1: Revise Publication 1075 to state that agencies that are deploying new\nsystems must conduct an independent assessment of the security controls in their information\nsystems prior to issuing the initial authority to operate, and must provide the SAR and signed\nsecurity authorizations of their systems to the Office of Safeguards before release of FTI will be\ngranted.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       revise Publication 1075 to require agencies to provide the signed Authority to Operate\n       and the results of independent security testing for new systems that will process FTI\n       when submitting the Safeguard Security Report specifying controls for the new system.\n       The IRS currently requests this documentation from new agencies seeking IRS approval\n       to receive FTI for the first time.\nRecommendation 2: Revise Office of Safeguards\xe2\x80\x99 policies to include a review of the SAR\nfor any significant security deficiencies before approving the release of FTI and to use SAR\nresults as a factor in assessing risk and prioritizing agencies for on-site reviews\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       partially implemented this recommendation by reviewing agency security testing results\n       during on-site safeguard reviews. The IRS will establish requirements that include the\n       SAR as evidence to validate that the controls described in the Safeguard Security Report\n       are implemented before the IRS approves an initial release of FTI. The IRS will also\n       develop policies and procedures to evaluate the agency\xe2\x80\x99s independent security assessment\n       and conduct a risk-based assessment or a modified on-site review prior to initial release\n       of FTI. The policy will detail risk-based criteria for release of data as well as actions\n       taken to mitigate vulnerabilities before approval of the data exchange. The results will be\n       used when developing the safeguards review schedule.\n\nAgencies Deploying New Systems May Not Be Tested for Up to\nThree Years, Possibly Allowing Security Deficiencies to Persist\nPublication 1075 requires that agencies that receive FTI must agree to Office of Safeguards\xe2\x80\x99\non-site testing of agency security controls. Additionally, the Internal Revenue Manual (IRM),\nalthough out of date, anticipates that agencies receiving FTI for the first time may be reviewed\nwithin one year of initial receipt of the information. The IRM states that factors, such as a past\nhistory of problems, news items, or major changes in a processing system, may indicate a need\nfor the IRS to conduct a review sooner than it otherwise would.\nThe Office of Safeguards conducted on-site testing at three of the 16 Exchanges within the first\nsix months of operation. By June 2014, the IRS stated it had conducted on-site testing of three\n                                                                                            Page 11\n\x0c                Affordable Care Act: Expanded Guidance Provided Assistance to\n                   the Exchanges, but Greater Assurance of the Protection of\n                               Federal Tax Information Is Needed\n\n\nadditional Exchanges, for a total of six Exchanges tested. We reviewed the overall testing results\nfor the initial three sites the IRS had visited for 157 controls required in Publication 1075. The\ntesting results revealed weaknesses in controls that the Exchanges had described as implemented\nin their documentation. The results of the on-site testing also showed that weaknesses persisted\nin most of the 17 key controls, which the Office of Safeguards had worked with the Exchanges to\nensure were implemented prior to the release of FTI. Additionally, the on-site testing at one\nExchange revealed a serious weakness related to remote access requiring prompt action that was\nnot evident in the SPR. Figure 3 shows the number of controls with weaknesses identified by the\nOffice of Safeguards\xe2\x80\x99 on-site testing for which Exchange documentation described as\nimplemented.\n        Figure 3: Selected Results of Office of Safeguards\xe2\x80\x99 On-site Testing\n                                                                              Exchange\xc2\xa0\n                        Weakness\xc2\xa0Condition\xc2\xa0\n                                                                        1\xc2\xa0       2\xc2\xa0       3\xc2\xa0\n      Publication\xc2\xa01075\xc2\xa0controls\xc2\xa0(of\xc2\xa0157\xc2\xa0reviewed\xc2\xa0by\xc2\xa0\n      TIGTA)\xc2\xa0with\xc2\xa0weaknesses\xc2\xa0that\xc2\xa0the\xc2\xa0Exchanges\xc2\xa0had\xc2\xa0                    23\xc2\xa0      34\xc2\xa0      35\xc2\xa0\n      described\xc2\xa0as\xc2\xa0implemented\xc2\xa0in\xc2\xa0documentation.\xc2\xa0\n      Key\xc2\xa0Controls\xc2\xa0(17\xc2\xa0of\xc2\xa0the\xc2\xa0157)\xc2\xa0with\xc2\xa0weaknesses\xc2\xa0\n      that\xc2\xa0the\xc2\xa0Exchanges\xc2\xa0had\xc2\xa0described\xc2\xa0as\xc2\xa0                              8\xc2\xa0       10\xc2\xa0      9\xc2\xa0\n      implemented\xc2\xa0in\xc2\xa0documentation.\xc2\xa0\n     Source: TIGTA analysis of Office of Safeguards\xe2\x80\x99 testing results.\n\nBecause the Exchanges were undergoing system testing in the months just prior to system\ndeployment and working to correct deficiencies that were identified in the testing process, it was\nnot practical for the Office of Safeguards to perform on-site reviews at the Exchanges prior to\nsystem deployment. However, the current Office of Safeguards\xe2\x80\x99 process to schedule on-site\nreviews could significantly delay identifying weaknesses because agencies that have deployed\nnew systems are reviewed on the same three-year testing cycle as other agencies in their States\nthat are already receiving FTI. Consequently, although the IRS receives annual reports and\nmaintains other contacts with them, agencies that have deployed new systems may not receive an\non-site review for up to three years after they first receive FTI.\nAs we have illustrated, the current documentation on which the IRS bases its approval decision\nfor release of FTI does not provide sufficient evidence that required controls have been\nimplemented. The SARs provide better information regarding the status of required controls,\nwhich, as we previously recommended, the IRS should review to ensure that no serious\nweaknesses exist before releasing FTI. Therefore, if an agency does not submit a SAR that\nindicates the new system materially meets safeguard requirements for protection of FTI, the IRS\n\n\n\n                                                                                                Page 12\n\x0c                Affordable Care Act: Expanded Guidance Provided Assistance to\n                   the Exchanges, but Greater Assurance of the Protection of\n                               Federal Tax Information Is Needed\n\n\nshould schedule an on-site review prior to releasing FTI. Because another TIGTA report14\nrelated to the IRS Office of Safeguards\xe2\x80\x99 oversight procedures has already made this\nrecommendation, we will not include it as a recommendation in this report. However, if the IRS\napproved the release of FTI based on its review of the SAR, we believe initial on-site testing\nshould occur as soon as possible after the date FTI is first sent in order to obtain the best\nassurance that information is adequately protected.\nNew untested systems carry a higher risk that controls are not properly implemented or working\nas intended. If not tested in a timely manner, security weaknesses may persist, unknown to the\nOffice of Safeguards or the Exchanges, which may put FTI at risk.\n\nRecommendation\nRecommendation 3: The Director, Privacy, Governmental Liaison, and Disclosure, should\nprioritize according to risk and timely schedule on-site reviews of agencies that have deployed\nnew systems and received FTI, particularly when those new systems relate to sensitive programs\nsuch as the ACA.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n        develop a comprehensive review scheduling process that documents risk-based\n        deviations from the three-year review cycle for all agencies. The IRS will also establish\n        procedures to incorporate new agencies receiving FTI into the review schedule when\n        authorizing the initial release of FTI. The IRS will prioritize on-site reviews based on the\n        evaluation of the agency\xe2\x80\x99s independent security assessment, IRS risk-based assessment,\n        or a modified on-site review to increase assurance that FTI will be protected upon receipt.\n\nProcedures to Suspend Transmission of Federal Tax Information\nWere Not Adequately Documented\nFederal regulations provide for the IRS to take action to suspend or terminate FTI disclosures to\na recipient agency that has failed to implement adequate safeguards to protect the confidentiality\nof FTI.15 The IRS may also refuse to disclose FTI until it determines that Office of Safeguards\xe2\x80\x99\nrequirements have been or will be met.\nThe IRM provides procedures for the Office of Safeguards\xe2\x80\x99 on-site reviewers to follow when\nthey identify serious deficiencies at recipient agencies. Deficiencies may be identified when the\nIRS reviews required reports or during on-site testing of security controls. The IRM states that\nwhen an on-site reviewer identifies a serious deficiency, the first action should be to attempt to\nobtain voluntary compliance through discussion and negotiation. When an impasse occurs, the\n\n14\n   TIGTA, Ref. No. 2014-20-059 , The Office of Safeguards Should Improve Management Oversight and Internal\nControls to Ensure the Effective Protection of Federal Tax Information (Sept. 2014).\n15\n   Code of Federal Regulations, Title 26, \xc2\xa7301.6103(p)(7)-1.\n                                                                                                    Page 13\n\x0c               Affordable Care Act: Expanded Guidance Provided Assistance to\n                  the Exchanges, but Greater Assurance of the Protection of\n                              Federal Tax Information Is Needed\n\n\nmatter should be elevated to the appropriate IRS management level, and the reviewer should\nsupply the relevant facts and a recommendation as to what action should be taken if the situation\nis not corrected.\nThe IRM further states that if IRS management is unable to break the impasse, it should initiate\nan administrative process to notify the recipient agency in writing of the IRS\xe2\x80\x99s intent to suspend\nor terminate FTI disclosures. Such notices allow the recipient agency 30 calendar days to appeal\nthe IRS\xe2\x80\x99s preliminary determination. However, the IRM also states that a duly delegated IRS\nofficial may immediately suspend FTI disclosures where unauthorized accesses or disclosures\nwould be made absent the suspension, and makes a reference to a delegation order.\nHowever, the IRM does not clearly cite who has been delegated the authority to make the\ndecision to immediately suspend FTI prior to initiating the administrative process.\nConsequently, the Office of Safeguards\xe2\x80\x99 reviewers may not know the full process to immediately\nsuspend FTI when serious deficiencies exist. Also, the lack of clear procedures for immediate\nsuspension of FTI could prolong the time needed to resolve potentially serious incidents.\nThe IRM also contains some out-of-date information, such as an incorrect business unit, that\napplied prior to reorganization. The IRM was last updated in August 2008 when the Office of\nSafeguards was in a different business unit. Consequently, the existing guidance is not reflective\nof the current organizational structure and should be updated.\nAs a practical matter, the IRS has not used its immediate authority or the administrative process\nto suspend or terminate FTI because it has been able to resolve matters with agencies through\ndiscussion and negotiation when serious deficiencies were discovered. However, clarifying the\nprocedures to follow in the event that an impasse occurs and immediate suspension or\ntermination is needed, including identifying the managers who have the authority to immediately\nsuspend FTI, will help to facilitate IRS communication internally and with agencies about such\nissues.\n\nRecommendation\nRecommendation 4: The Director, Privacy, Governmental Liaison, and Disclosure, should\nupdate procedures in the IRM, including clarifying procedures for immediate suspension or\ntermination of FTI, and identifying which managers have the authority to do so when\ndeficiencies are serious enough to potentially allow unauthorized access or disclosure of FTI.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS is\n       revising the IRM 11.3.36 to clarify the procedures to suspend or terminate disclosure\n       when identifying an immediate risk to FTI. The Office of Safeguards\xe2\x80\x99 staff will be\n       trained on the procedures and notified of the delegated IRS officials authorized to\n       suspend disclosure of FTI.\n\n\n\n                                                                                          Page 14\n\x0c                Affordable Care Act: Expanded Guidance Provided Assistance to\n                   the Exchanges, but Greater Assurance of the Protection of\n                               Federal Tax Information Is Needed\n\n\n                                                                                           Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS Office of Safeguards has implemented\nsufficient policies and procedures to ensure that ACA Exchanges are adequately protecting FTI\nreceived from the IRS. To accomplish our objective, we:\nI.      Evaluated the IRS\xe2\x80\x99s processes and procedures related to the approval of ACA State and\n        Federal Exchanges to receive FTI, and determined their adequacy in ensuring protection\n        of FTI prior to its release.\n        A. Coordinated with TIGTA\xe2\x80\x99s other Security and Information Technology Services audit\n           team on the overall Office of Safeguards\xe2\x80\x99 program1 to ensure that we stayed informed\n           about their findings and ensured consistency and continuity between the two audit\n           reports.\n        B. Interviewed the ACA Office of Safeguards\xe2\x80\x99 staff to identify ACA-related processes\n           and procedures.\n        C. Reviewed the Office of Safeguards\xe2\x80\x99 processes and procedures and other security\n           control guidance as they relate to the State and Federal Exchanges and documented\n           any control weaknesses identified related to the policies and procedures or guidance.\n            1. Publication 1075, Tax Information Security Guidelines for Federal, State and\n               Local Agencies\xe2\x80\x94incorporates NIST Special Publication 800-53 controls.\n            2. Minimum Acceptable Risk Standards for Exchanges.\n            3. The SPRs, System Security Plans, and System Security Plan Workbooks.\n            4. Authorization process prior to the release of FTI data.\n            5. SPR/System Security Plan validation visit prior to approval to receive FTI.\n        D. Determined whether Publication 1075 contains adequate security controls for\n           protection of FTI when compared with NIST Special Publication 800-53, Rev. 4\n           Security and Privacy Controls for Federal Information Systems and Organizations.\n            1. Identified NIST Special Publication 800-53, Rev. 4, controls that, in TIGTA\xe2\x80\x99s\n               opinion, should be added to Publication 1075 to ensure protection of FTI.\n            2. Determined whether the controls identified by the IRS as critical are sufficient or\n\n1\n TIGTA, Ref. No. 2014-20-059 , The Office of Safeguards Should Improve Management Oversight and Internal\nControls to Ensure the Effective Protection of Federal Tax Information (Sept. 2014).\n                                                                                                   Page 15\n\x0c             Affordable Care Act: Expanded Guidance Provided Assistance to\n                the Exchanges, but Greater Assurance of the Protection of\n                            Federal Tax Information Is Needed\n\n\n             should additional security controls be considered as critical and in place prior to\n             release of FTI.\n      E. Determined whether IRS processes are sufficient to ensure that ACA Exchanges have\n         reported that standards are being met and controls are in place.\n         1. Based on ACA Exchange approval documents, identified the security controls\n            that were not in place when the IRS approved the ACA Exchange to receive FTI.\n            We noted if any of these were the security controls that the IRS deemed critical.\n         2. Reviewed and evaluated IRS processes to monitor and ensure that failed security\n            controls are corrected before FTI is released. Based on available documentation,\n            we determined if failed controls were corrected before FTI was released.\n      F. Evaluated IRS requirements for information security agreements between the IRS and\n         the State and Federal Exchanges.\n         1. Determined what formal agreements are required prior to release of FTI.\n         2. Assessed whether the IRS has executed these agreements with the appropriate\n            parties.\n         3. Determined whether the agreements adequately allow for the IRS\xe2\x80\x99s enforcement\n            of protection of FTI.\nII.   Determined whether State and Federal Exchanges performed required independent\n      security assessments prior to receiving FTI.\n      A. Determined requirements for State and Federal Exchanges with respect to\n         independent security assessments.\n      B. Determined what the IRS obtains from State and Federal Exchanges related to the\n         independent security assessment \xe2\x80\x93 a copy of the results, a copy of the POA&M, etc.\n      C. Determined how the IRS uses the information it obtains from the independent\n         security assessments.\n      D. Reviewed State and Federal Exchanges\xe2\x80\x99 independent security assessment testing\n         documentation for adequacy with respect to Publication 1075 for the State\n         Exchanges, NIST standards for the Federal Exchange, and TIGTA\xe2\x80\x99s judgment. We\n         coordinated with the HHS Office of Inspector General to obtain this documentation\n         and on other matters during our review as needed.\n         1. Analyzed results and identified controls not in place and/or inadequately reported\n            by the independent security assessments.\n         2. Determined whether the independent security assessments identified failed\n            controls that the IRS\xe2\x80\x99s approval processes did not identify for input to Step I. and,\n\n                                                                                          Page 16\n\x0c              Affordable Care Act: Expanded Guidance Provided Assistance to\n                 the Exchanges, but Greater Assurance of the Protection of\n                             Federal Tax Information Is Needed\n\n\n              where available, that the IRS\xe2\x80\x99s on-site review test processes did not identify for\n              input to Step II.\n       E. Evaluated the State and Federal Exchanges\xe2\x80\x99 processes to correct security control\n          weaknesses reported by the independent security assessments.\n          1. Evaluated State Exchange POA&Ms.\n          2. Based on available documentation, determined whether failed controls are\n             corrected in a timely manner.\nIII.   Evaluated whether the Office of Safeguards\xe2\x80\x99 reviews are adequate to detect failed\n       security controls and whether its processes adequately ensured that failed controls are\n       corrected.\n       A. Evaluated test plans and templates that the IRS Office of Safeguards uses during\n          reviews.\n       B. Evaluated test documents from completed on-site reviews to assess the adequacy of\n          the IRS\xe2\x80\x99s review process.\n       C. Accompanied the IRS on reviews at the California and Connecticut Exchanges that\n          took place during the audit period to determine if the Exchanges have implemented\n          the security controls required by Publication 1075. We obtained and reviewed test\n          plans for each site in advance.\n       D. Determined whether the IRS\xe2\x80\x99s reviews identified failed security controls that the\n          IRS\xe2\x80\x99s approval process or the State and Federal independent security assessments did\n          not identify.\n       E. Evaluated IRS processes to ensure that State and Federal Exchanges correct security\n          control weaknesses reported by the IRS\xe2\x80\x99s reviews.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: the IRS\xe2\x80\x99s policies and\nprocedures to administer the Safeguards program, other Federal guidance related to computer\nsecurity controls, and guidance related to the Exchanges. We evaluated these controls by\ninterviewing management and by reviewing the relevant IRS and Federal guidance, including the\nIRM, Publication 1075, NIST Special Publication 800-53, Revisions 3 and 4, and Minimum\nAcceptable Risk Standards for Exchanges.\n\n\n\n                                                                                          Page 17\n\x0c              Affordable Care Act: Expanded Guidance Provided Assistance to\n                 the Exchanges, but Greater Assurance of the Protection of\n                             Federal Tax Information Is Needed\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nMary Jankowski, Lead Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nEsther Wilson, Senior Auditor\nLarry Reimer, Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c             Affordable Care Act: Expanded Guidance Provided Assistance to\n                the Exchanges, but Greater Assurance of the Protection of\n                            Federal Tax Information Is Needed\n\n\n                                                                       Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Governmental Liaison, Disclosure, and Safeguards OS:P:GLDS\nAssociate Director, Safeguards OS:P:S\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Privacy, Governmental Liaison, and Disclosure OS:P\n\n\n\n\n                                                                             Page 19\n\x0c            Affordable Care Act: Expanded Guidance Provided Assistance to\n               the Exchanges, but Greater Assurance of the Protection of\n                           Federal Tax Information Is Needed\n\n\n                                                                                     Appendix IV\n\n    Description of Key Controls As They Apply to\n       Safeguarding Federal Tax Information\n\n    Key Control\n       NIST                                   Description of Control As It Applies to\n    Designation    Control Name                         Safeguarding FTI\n                                       Agencies must identify FTI data they have and consistently\n                                       apply labels to that data in such a way that the data are easily\n                                       identified, even when commingled. When data are commingled,\n                                       the data must be identified at the most minor level. For\n1                                      example, if data are commingled at the table level, i.e., a\n    AC-3          Labeling\n                                       database which contains FTI and non-FTI data tables, the tables\n                                       must be labeled in such a way so that it is readily apparent that\n                                       those tables contain FTI. Additionally, if data are commingled\n                                       within a table that includes FTI and non-FTI data, FTI data must\n                                       be explicitly labeled and identified as such.\n                                       Access to FTI must be strictly on a need-to-know basis. FTI\n                                       must never be indiscriminately disseminated, even within the\n2   AC-6          Least Privilege      recipient agency, body, or commission. No person should be\n                                       given more FTI than is needed for performance of his or her\n                                       duties.\n                                       Only agency-owned computers, media, and software will be\n                                       used to receive, process, access, and store FTI. The agency\n3                 Use of External\n    AC-20                              must retain ownership and control for the security configuration\n                  Information System\n                                       of all hardware, software, and end-point equipment connecting\n                                       to public communication networks including encryption keys.\n                                       Auditing must be enabled to the extent necessary to capture\n4   AU-2          Auditable Events     access, modification, deletion, and movement of FTI by each\n                                       unique user.\n                                       Two-factor authentication is required whenever FTI is being\n5                 Identification and\n    IA-2                               accessed from an alternative work location or if accessing FTI\n                  Authentication\n                                       via an agency\xe2\x80\x99s web portal by an employee or contractor.\n\n\n\n\n                                                                                                Page 20\n\x0c            Affordable Care Act: Expanded Guidance Provided Assistance to\n               the Exchanges, but Greater Assurance of the Protection of\n                           Federal Tax Information Is Needed\n\n\n     Key Control\n        NIST                                   Description of Control As It Applies to\n     Designation    Control Name                         Safeguarding FTI\n                                        Passwords meet minimum Publication 1075, Tax Information\n                                        Security Guidelines for Federal, State and Local Agencies,\n                                        requirements. Enforce minimum password complexity\n6                  Identifier           consisting of at least eight (8) alphanumeric, i.e., uppercase and\n     IA-5\n                   Management           lowercase letters, numbers, and/or special characters.\n                                        Change/refresh authenticators every 90 days, at a minimum, for\n                                        a standard user account, and every 60 days, at a minimum, for\n                                        privileged users.\n                                        Any data incident potentially involving FTI must immediately\n7                                       be reported to TIGTA and the IRS Office of Safeguards\n     IR-6          Incident Reporting\n                                        immediately, but no later than 24 hours after identification of a\n                                        possible issue involving FTI.\n\n8                                       The agency must label information system media containing FTI\n     MP-3          Media Marking\n                                        to indicate the distribution limitations and handling caveats.\n                                        If the media will be reused by the agency for the same purpose\n                                        of storing FTI and will not be leaving the organization\xe2\x80\x99s control,\n                                        then clearing is a sufficient method of sanitization. If the media\n                                        will be reused and repurposed for a non-FTI function and/or will\n9                                       be leaving the organization\xe2\x80\x99s control, i.e., media being\n     MP-6          Media Sanitization\n                                        exchanged for warranty, cost rebate, or other purposes, and\n                                        where the specific media will not be returned to the agency, then\n                                        purging should be selected as the sanitization method. If the\n                                        media will not be reused at all, then destroying is the method for\n                                        media sanitization.\n                                        Minimum protection standards require two physical barriers\n                                        between FTI and an individual not authorized to access FTI.\n                                        This may be achieved through secured perimeter/locked\n10                 Physical Access\n     PE-3                               container, locked perimeter/secured interior, or locked\n                   Control\n                                        perimeter/security container. FTI must be containerized in areas\n                                        where other than authorized employees or authorized contractors\n                                        may have access after-hours.\n                                        FTI may not be accessed by agency employees, agents,\n                   External             representatives, or contractors located \xe2\x80\x9coff-shore\xe2\x80\x9d (outside of\n11   SA-9          Information System   the United States or its territories). FTI may not be received,\n                   Services             stored, processed, or disposed via information technology\n                                        systems located off-shore.\n                                        FTI that may reside in shared system resources, e.g., memory,\n12                 Information in\n     SC-4                               during application sessions is cleared before the memory is\n                   Shared Resources\n                                        released back to the system when the session is terminated.\n\n\n\n\n                                                                                                  Page 21\n\x0c                   Affordable Care Act: Expanded Guidance Provided Assistance to\n                      the Exchanges, but Greater Assurance of the Protection of\n                                  Federal Tax Information Is Needed\n\n\n         Key Control\n            NIST                                          Description of Control As It Applies to\n         Designation         Control Name                           Safeguarding FTI\n                                                  FTI is not directly accessible from the Internet. Virtual Private\n    13                                            Network (or similar technology providing similar protection,\n         SC-7              Boundary Protection\n                                                  e.g., end-to-end encryption) should be used when remotely\n                                                  accessing FTI.\n                                                  The information system protects the integrity of transmitted\n    14                     Transmission           information. All FTI in transit must be encrypted when moving\n         SC-8\n                           Integrity              across a Wide Area Network and within the agency\xe2\x80\x99s Local\n                                                  Area Network.\n\n    15                     Transmission           The information system protects the confidentiality of\n         SC-9\n                           Confidentiality        transmitted information.\n\n    16                                            Agencies must identify, report, and correct information system\n         SI-2              Flaw Remediation\n                                                  flaws.\n                                                  The organization employs malicious code protection\n    17                     Malicious Code         mechanisms at information system entry and exit points and at\n         SI-3\n                           Protection             workstations, servers, or mobile computing devices on the\n                                                  network to detect and eradicate malicious code.\n\n    Source: IRS internal document describing the key controls and NIST Special Publication 800-53, Rev. 3.\n\xc2\xa0\n\n\n\n\n                                                                                                            Page 22\n\x0c   Affordable Care Act: Expanded Guidance Provided Assistance to\n      the Exchanges, but Greater Assurance of the Protection of\n                  Federal Tax Information Is Needed\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             \xc2\xa0\n                                                          Page 23\n\x0cAffordable Care Act: Expanded Guidance Provided Assistance to\n   the Exchanges, but Greater Assurance of the Protection of\n               Federal Tax Information Is Needed\n\n\n\n\n                                                       Page 24\n\x0cAffordable Care Act: Expanded Guidance Provided Assistance to\n   the Exchanges, but Greater Assurance of the Protection of\n               Federal Tax Information Is Needed\n\n\n\n\n                                                       Page 25\n\x0cAffordable Care Act: Expanded Guidance Provided Assistance to\n   the Exchanges, but Greater Assurance of the Protection of\n               Federal Tax Information Is Needed\n\n\n\n\n                                                       Page 26\n\x0c'